This is our old Q&A Site. Please post any new questions and answers at

i have a pcap and filter it to a TCP stream index and source ip. i want to build a file from the packets (reconstruct) streamed data.

is there away to do this with Wireshark? or do i need to create my own method for this?

asked 19 Mar '12, 15:38

auldh's gravatar image

accept rate: 0%

That depends on what you're trying to do.

If you want all the data from one or both sides of a TCP connection, try using Analyze->Follow TCP Stream and saving from that.

If you want an object transferred with, for example, HTTP or the SMB file access protocol, try File->Export->Objects->{HTTP,SMB} (it will offer a list of objects in the capture and let you save one or all of them).

If neither of those are what you want, you might want to look at tcpflow.

permanent link

answered 19 Mar '12, 17:30

Guy%20Harris's gravatar image

Guy Harris ♦♦
accept rate: 19%

thank you i will do. i only want onside of the stream the receiving side.

(30 Mar '12, 08:39) auldh

the protocol is TCP. i want to extract the TCP segment data of the specified bytes on the receive side/source.

i want to reconstruct that it is not a VOIP so i can't use the telephony feature.

(31 Mar '12, 09:36) auldh

Then it sounds as if you want the first of my suggestins - Analyze->Follow TCP Stream, which, as I remember, will let you save only one side of the conversation if you want that.

(31 Mar '12, 19:17) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 19 Mar '12, 15:38

question was seen: 13,479 times

last updated: 31 Mar '12, 19:17

p​o​w​e​r​e​d by O​S​Q​A